Lync Edge Server External Private Certificate
Hey GURUS!
Please help me out:
I'm having issues accessing Lync from external network.
Mobile clients login fine, but computer clients fail to login.
My current deployment consists in a single 2013 front-end and a single 2013 edge server.
All servers have certificates from my internal CA.
All servers have the root CA certificate installed in the trusted root certificate authority.
I have 2 sip domains, and the edge certificate has both sip domains.
However, when I test from test connectivity.microsoft.com, I get an error regarding the certificate chain.
I can't understand why lync requires a intermediate certificate, if I don't have any published in my organisation.
The certificate path goes: Root CA -> Certificate.
Also, the lync discover test runs with no errors what so ever.
This error on the edge didn't occur when I had lync 2010 running.
Does anyone know how to solve this?
Thanks!
Andrey Santana
edit: i forgot to upload the screenshot
Thiago,
The certificates from the Front End / Reverse Proxy are also from the internal CA and I don't get the error, it actually runs successfully.
Andrey
How did you test the certificates from the Front End and Reverse Proxy Server?
The public website connectivity.microsoft.com need a public certificate.
But if you use private certificate in lab, it could work as long as you install the Root CA certificate on client computer.
Lisa Zheng
TechNet Community Support
Similar Messages
-
Lync Edge Server 2013 Certificate Issue seems unresolvable
I've implemented a single internal Standard Edition Front End server with a single consolidated Edge server and Reverse Proxy server/appliance located in a perimeter network.
On the internal IP of the Edge server I use a certificate form a internal CA ( which is trusted by the edge server), the "internal" certificate issued by the internal Ca is used only between the edge server and the frontend server. An external certificate
with cn sip.ipabo.nl and alt.subj sip.ipabo.nl and webconf.ipabo.nl. from Globalsign is used on the external IP’s . Services have their own ip adresses and are natted by a router. Ive tested that all ports can be reached from the internet. But still no connection
possible from external clients. The ms. connectivity analyser says: "The The certificate couldn't be validated because SSL negotiation wasn't successful". Connections from mobile clients through reverse proxy are no problem also internal clients
have no issue ( they both don’t use the edge but proxy ). So i assume there's someting wrong with the certificate implementation on the Edge server, however ive tested it with the RUCT from Curtis Johnstone, and the certificate seems to be OK. Also in the
Lync Server Deployment Wizard the certificates seem to be OK. In the computers personal certificate store the are only the two necessary certificates ( internal and external) also intermediate certificates are installed. Routing ( default gateway on external
interface ) is working fine. So I think I'm out of options, any ideas?
Tnx,
GuidoPlease check the DNS records for sip.ipabo.nl and webconf.ipabo.nl are created on external DNS server.
Please check you can telnet Lync Edge Access service FQDN on 443 port.
Check the automatic configuration for remote access is configured correctly or you can try to sign in manually.
Follow the steps in blog blow to test your Edge Server:
http://blogs.technet.com/b/nexthop/archive/2011/12/07/useful-tips-for-testing-your-lync-edge-server.aspx
Lisa Zheng
TechNet Community Support -
Lync Edge Server Certificate Issue
I've implemented a single internal Standard Edition
Front End server with a single consolidated Edge server and Reverse Proxy server/appliance located in a perimeter network.
On the internal IP of the Edge server I use a certificate form a internal CA ( which is trusted by the edge server), the "internal" certificate issued by the internal Ca is used only between the edge server and the frontend server. An external certificate
with cn sip.ipabo.nl and alt.subj sip.ipabo.nl and webconf.ipabo.nl. from Globalsign is used on the external IP’s . Services have their own ip adresses and are natted by a router. Ive tested that all ports can be reached from the internet. But still no connection
possible from external clients. The ms. connectivity analyser says: "The The certificate couldn't be validated because SSL negotiation wasn't successful". Connections from mobile clients through reverse proxy are no problem also internal clients
have no issue ( they both don’t use the edge but proxy ). So i assume there's someting wrong with the certificate implementation on the Edge server, however ive tested it with the RUCT from Curtis Johnstone, and the certificate seems to be OK. Also in the
Lync Server Deployment Wizard the certificates seem to be OK. In the computers personal certificate store the are only the two necessary certificates ( internal and external) also intermediate certificates are installed. Routing ( default gateway on external
interface ) is working fine. So I think I'm out of options, any ideas?
Tnx,
GuidoOk I found It:
It was a simple setting in the Control panel, or in the management shell:
In Set-Accessedgeconfiguration
AllowOutsideUsers was set to False. this should be true.
I found it by Using OCSlogging on the Edgeserver, looking at SIP.
So I don't understand how all the certificate and server unavailable warnings make any sense.
The next issue will be exchange integration :)
Thanks for your help everybody -
Wildcard Certifikate - Edge server/External web
Hello,
In our company we have deployed Lync 2013 CU4 with topology,
Edge server - One for all roles a/v
Front End - Standard with all roles
All certs are form our internal CA, and it works for my domain users. But for all external users or skype we need external cert. We have one wildcard cert for our domain.
So question is can we user wildcard cert for our Edge server, and exteranal serwis of front end.
Front end i think can use that is on tech net: http://technet.microsoft.com/en-us/library/gg398094.aspxGood morning,
Using a wildcard certificate on Lync Edge server is not supported, and indeed will cause you problems.
It also sounds like you are passing your Lync web services directly to your front end server. This is not recommended, and you should use a reverse proxy for this purpose. You would then place an external (public) certificate on that reverse proxy. So there's
no need for a public cert on the front end in this scenario.
You may consolidate the certificate requirements for reverse proxy and Edge onto a single multi-san certificate, and use that same certificate on both servers.
OR
If you use two separate certificates then it is supported to use a wildcard public certificate on the reverse proxy (web services), but your Edge certificate must be a separate multi-san certificate.
Kind regards
Ben
Note: If you find a post informative, please mark it so using the arrow to the left. If it answers a question you've asked, please mark the thread as answered to aid others when they're looking for solutions to similar problems or queries.
For Fun: Gecko-Studio | For Work:
Nexus Open Systems -
Problems with SNOM 7XX phones and presence of Lync Edge server
Hi to all,
we have this problem, this is the scenario (two Lync 2013 st ed. servers):
- lync 2013 FE server have internal IP address 172.21.212.XXX with internal gateway 172.21.212.254
- lync 2013 edge server have two network interface:
First INTERFACE: 3 IPs in 172.21.30.XXX (Access, web and A/V Edge) for external connection with 172.21.30.254 and internal gateway (IP NAT with public IP)
Second INTERFACE: IP 172.21.212.XXX for internal connection without gateway
- snom 7XX (50 phones) are connect to the lync server and all internal call works fine. All phones are in an internal dedicated network 172.21.218.XXX with default gateway 172.21.218.254
- when making external call with 7XX SNOM phones, the call was routed to Trunk COLT with Lync Mediation server and all works fine.
- when Lync Mediation server receive a call from our trunk COLT we have this situation:
All Lync 2013 clients work fine, audio is OK, (network 172.21.216.XXX)
Polycom CX3000 work fine audio is OK (network 172.21.218.XXX)
SNOM 710, 720, 760 FW 8.8.2.16 UC series, phones ring but NO SOUNDS from the phones and after a few seconds "Call failed due to network issues."
The only way to solve the problem is to disable the connection with Lync Edge server (remove gateway 172.21.30.254)
BUT this is not the solution because now we have no connection with INTERNET (skype, web conferencing doesen't work without edge gateway)
Why SNOM phones try to use the EDGE gateway to connect the call? Why doesn't use Lync Mediation server?
Can you help us to find a solution?
Thanks
AurelioHi,
Thanks to all for yours support.
Today, we have done some test (no employee in office today
J) and we have solved the problems.
The old implementation have had this configuration:
- the phone numbers have had a no E.164 format compliant: for all users number, the phone number have had this format TEL:012345XYZW ; EXT=XYZW with the normalization
rules:
Starting digits: 01234567
Length: At least 8 digits
Digit to remove: 0
Digit to add: nothing
Pattern to match ^(01234567\d*)$
All worked fine with this previous configuration:
Lync 2010 std with only mediation server function + Lync 2013 std front-end with all the others functions and Lync 2013 std Edge server for external connection with
Lync client Skype world, BUT we have had disabled in SNOM phones ICE function because if ICE was enabled no voice can we hear from the phones.
After dismissed Lync 2010 with only a Lync 2013 infrastructure, this configuration don’t permit to use edge server because with ICE enabled or disabled no voice from
SNOM phones.
Today we have done this operation:
Setting in Lync 2013 control panel all number for all users, in E.164 format compliant:
The phone number now have this format TEL:+39012345XYZW ; EXT=XYZW and we have deleted the previous normalization roles.
We have added this role for the EXT numbers:
Name: Routing Interno
Starting Digits: XY
Length: Exactly 4 (i.e. XYZW)
Digit to remove 0
Digit to add: +39012345
Pattern to match: ^(XY\d(2))$
Translation rule: +39012345$1
Internal extension = checked
And now all work fine.
We have solved another problem:
Lync client 2013 can't find new users:
all new Lync users are not discovered from Lync 2013 client, probably because this setting is present with Lync 2010:
PS C:\> Get-CsAddressBookConfiguration
Identity
: Global
RunTimeOfDay
: 1:30 AM
KeepDuration
: 30
SynchronizePollingInterval : 00:00:30
MaxDeltaFileSizePercentage : 20
UseNormalizationRules
: True
IgnoreGenericRules
: False
EnableFileGeneration
: True
With only Lync 2013 servers we have changed
IgnoreGenericRules to True
To set UseNormalizationRules and IgnoreGenericRules to true for Lynk 2013 infrastructure.
http://technet.microsoft.com/en-us/library/jj205160.aspx
For us all the problems are SOLVED!
Aurelio -
Hi,
I am planning to deploy 1 Lync Edge Server but the problem is we only have one public IP address. This will be deployed on a Hyper-V VM with 2 NICS installed. All tutorials I have read pertains on having 3 public IP address. The purpose is only to try Skype
federation. Our Front Edge currently works well internally. Is there any way I can deploy an Edge Server with only one Public IP?
Thanks,
-Ed-Hi Ed,
Although it is best practice to use 3 public IPs for your Edge deployment, you can indeed use just a single public IP - this is a completely supported configuration.
The reason for using 3 public IPs is so that all three Edge services (Access, AV, Conf) can all use port 443 without any conflict. If you choose to use a single IP like you suggest, then naturally these three services can't all use 443.
When you are deploying your new Edge server and configuring it in the Topology Builder, there will come a point where it will ask you if you want to use a single IP for all services. If you choose to do so, you will see that it will automatically change
the Edge services to use varying ports (5061,443,444) instead of all on 443.
Deployment of your Edge will allow external clients to sign in. However, keep in mind that external access and functionality is two part, and the deployment of a reverse proxy is required to allow mobile client sign-in and a vast array of other features
including;
• Allows external users to download meeting content for your meetings.
• Allows external users to expand distribution groups.
• Allows remote users to download files from the Address Book service.
• Allows access via the Lync Web App client.
• Provides access to the Dial-in Conferencing Settings webpage.
• Provides access to the Location Information service.
• Provides external devices access to the Device Update web service.
• Enables Lync mobile applications to discover and use the mobility URLs
• Allows Lync 2013 clients to leverage Lync Discover URLs
Importantly, your Reverse Proxy will also need a public IP.
In short, you can gain limited external connectivity with a single public IP, but if you want a FULL external feature set you will need 2 public IPs at the very least.
You cannot collocate the reverse proxy with the Edge, or use the same IP for both.
Hope that helps.
Kind regards
Ben -
LYNC EDGE Server NIC Card Setup
Hello Guys,
I need Your help about setting up the NIC on my EDGE server. I already gone through the article about Set Up Network Interfaces for Edge Servers. as I understand there
are 2 NIC required on each EDGE server (1 Internal facing 7 another 1 is External facing). I just wanted to confirm is there any option to do this with only 1 NIC card or can we configure EDGE with 1 NIC only.?
Thanks in Advance.
Rishi Aggarwal
Regards Rishi AggarwalPossible? Yes, I do this on occasion against recommendations and best practices for companies who simply can't or won't set up a second DMZ (please don't split the NICs between your internal network and DMZ, it's just bad security). Everything
mostly seems to work just fine. But, recommended and supported? No.
Here's an article from David Paulino who's also been through it:
http://uclobby.com/2014/04/17/lync-edge-server-on-a-single-subnet/
Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question please click "Mark As Answer".
SWC Unified Communications -
Lync Edge Server required for Sykpe Federation
I have a very simple and quick question I hope some people can help a newbie to Lync 2013 with.
Basically we have just installed as a trial the Lync 2013 Standard edition on a server for use of IM and Persistent chat only. We are not worried about the VOIP stuff. All is working great and everything so far is installed on one server.
I have been asked by management to add the ability to add Skype contacts. So I know I have to enroll for PIC and setup a Skype external access federation which is fine.
My question is though... can I install the "Lync 2013 Edge Server" role on the same server as my Front End Lync Server? I really dont want to pay for another Windows license to have a Lync Edge Server in my DMZ.
I am looking for some advice on why I wouldnt want to do this and if I can actually do this type of setup? The end result for me would be to have all Lync installation on one server. We only have around 50 users so not massive...
Thanks in advance everyone!Hi,
You need the aditional server for federation with Skype (PIC). You can't install FE and Edge on the same server.
David -
Lync edge server for site with 2500 users
Dear All,
I have a question with regards to the implementation of lync edge server deployment.
One of our client having lync deployment with 4000 users in a central site with 3 FE EE and edge pool with 2 Edge servers, there are planning for a new site with 2500 users.
what will be the best method for the site implementation , shall we deploy a SE Fe server and all the external communication through the Central site Edge server?
or is it required to have a separate pool for site?
please help meAgree with the others. So, there's two questions, "what will be the best method for the site implementation?" and "is it required to have a separate pool for site?".
The best method I'd suggest is use Enterprise Edition Lync so you can perform pool pairing for resiliency, and have a local edge pool as the others suggested. You have enough users to support this, and with growth you might want to be able to scale
up anyway.
Is it required? Not at all. You can send them all through the central site edge server, it's possible and fully supported. It's up to you, but I'd suggest the separate pool.
Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question please click "Mark As Answer".
SWC Unified Communications -
Outbound Calls stop working when Lync Edge server is offline
All,
We have had an issue inside our environment after one of our virtual hosts died and took out our sole Edge server, basically users could not dial out and were getting the error "Network is busy" on the client. Internal dialling worked perfectly to our Lync
users but the users could not dial out via our Cisco CME server.
Our configuration is a Lync Enterprise Pool with 2 servers, DB cluster and a single Lync edge server, the mediation servers are installed on our enterprise pool servers as a single server and the CME is looking at the mediation servers directly and has nothing
pointing at the edge server.
This issue affected internal users (as the external users were all kicked out due to the server being down), the strange thing was that you got errors in snooper about the server being unavailable when you dialled out, no idea why it did this. Even stranger
was that the call itself was sent to the CME as a debug SIP showed traffic being attempted between the user and the number which confused me even more as my mobile actually rang for a single ring as well.
Has anybody got any ideas as to why the Edge server would do this to internal users?
Thanks
JamesLync checks the bandwith policy against the Edge server. As the Edge is not responding Lync is unable to check the policy and the call fails.
For the time being you may want to remove the Edge from the topology, then Lync checks against the Front End server.
I hope you do understand, that this is not a great solution, but a drastic workaround suggestion to a hidden product defect! In hidden product defect I mean Microsoft Lync document team is cynically silent and trying to cover the tracks of this product defect.
What I would consider as a straight and honest retroactive action for the Lync document team, to add a big warning section to a) single server edge deployment page + b) the Call Admission Control caveats page on Technet:
"Warning: PRODUCT DEFECT / PRODUCT LIMITATION comes here
If you associate an edge server or pool to a FE pool, and enable Call Admission Control, your single / pool edge will become SINGLE POINT OF FAILURE for your entire enterprise telephony when doing outbound call attempts!
So if outbound calls is important in your company (hell, of course it is!) then deploy at least 2x Edge servers in the same pool before enable CAC!"
But I think that warning message is way too much to ask for, thatswhy is this 2,5 years old topic still open. -
Deploy Lync Edge Server.
Hi,
We have a Lync 2013 Server. We're plan to deploy a Lync Edge Server. I just read some articles about the depoyment. I'm wondering why Lync Edge Server cannot be installed on a server with one NIC. We've 1 firewall, configured with a interface in the
LAN subnet and a interface configured in the DMZ subet. I want to install the Lync Edge Server with one NIC configured in the DMZ subnet and route all the internal traffic trought the firewall. But none of the articles recommend this scenario. Why not?Hi,
You're Lync 2013 Edge server requires two network interfaces, each residing on a different subnet - this part isn't debatable and is required in order to be a supported deployment (much less have it actually work). However its not uncommon to come across
your scenario.
As you only have a single firewall, your two options are;
1.) External interface of the Edge server in the existing DMZ subnet, and Internal interface of the edge server directly on the LAN. (this is the least preferred option of all scenarios, but is a supported topology)
2.) External interface of the Edge server in the existing DMZ subnet, and then create a second DMZ subnet to put the internal interface of the Edge server in. You would have to create an interface on your existing firewall in this subnet as well, essentially
routing traffic back to the same firewall hardware but via a different subnet. This is commonly referred to as a 'three-legged' firewall. From there the traffic can go to the LAN. This is also supported, and is more preferred than option one
The optimal solution, and the one you have probably seen in diagrams is to have back to back firewalls creating a true DMZ with the Edge server sat in between, The external interface of the edge server is on the same subnet as the internal facing adaptor
on the outer firewall, and the internal interface of the edge server is on the same subnet as the external facing adaptor of the inner firewall. This is the preferred solution, but not achievable in your current setup without the introduction of additional
components.
Of the two options applicable to you (1and2), option 2 is preferred. Both are considered less secure than option 3 from a security perspective as there is only a single firewall to breach, where as option three has layered security.
This is a very common scenario for smaller organisations - feel free to ask any further questions.
Kind regards
Ben
Note: If you find a post informative, please mark it so using the arrow to the left. If it answers a question you've asked, please mark the thread as answered to aid others when they're looking for solutions to similar problems or queries.
For Fun: Gecko-Studio | For Work:
Nexus Open Systems -
Lync Edge Server Service Not Starting
i am having an issue with starting the "Lync Server Audio/Video Edge" service on my lync edge server. when i try to start the service it throws the following error..
"The Lync server audio/video edge service on local computer started and than stopped. some services stop automatically if they are not in use by other services or programs."
than in the event viewer logs there are 2 specific errors i can see that look like the following..
what is stopping me from fixing this right away is that i havent changed anything in my configuration, seems to have broke on its own. i can post more errors i have found in other places as well if needed. any help is greatly appreciatedhey sean, thanks for your response. all things point to something else using port 443 right now.. however from what i can see from a netstat command it doesnt look like anything new is running on it. here is a copy/paste of my most recent netstat command..
Active Connections
Proto Local Address Foreign Address State PID
TCP 0.0.0.0:80 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 756
TCP 0.0.0.0:443 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:3389 0.0.0.0:0 LISTENING 2804
TCP 0.0.0.0:4443 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:47001 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:49152 0.0.0.0:0 LISTENING 468
TCP 0.0.0.0:49153 0.0.0.0:0 LISTENING 844
TCP 0.0.0.0:49154 0.0.0.0:0 LISTENING 896
TCP 0.0.0.0:49338 0.0.0.0:0 LISTENING 1400
TCP 0.0.0.0:56483 0.0.0.0:0 LISTENING 572
TCP 0.0.0.0:56966 0.0.0.0:0 LISTENING 564
TCP 0.0.0.0:56967 0.0.0.0:0 LISTENING 2824
TCP 192.100.100.84:139 0.0.0.0:0 LISTENING 4
TCP 192.100.100.84:444 0.0.0.0:0 LISTENING 1768
TCP 192.100.100.84:5061 0.0.0.0:0 LISTENING 1908
TCP 192.100.100.84:5061 68.34.170.246:52296 CLOSE_WAIT 1908
TCP 192.100.100.84:5061 68.34.170.246:52297 CLOSE_WAIT 1908
TCP 192.100.100.84:5061 68.34.170.246:53570 CLOSE_WAIT 1908
TCP 192.100.100.85:5061 0.0.0.0:0 LISTENING 1908
TCP 192.100.100.85:5062 0.0.0.0:0 LISTENING 1844
TCP 192.100.100.85:5062 192.100.100.83:53701 ESTABLISHED 1844
TCP 192.100.100.85:5062 192.100.100.83:53967 ESTABLISHED 1844
TCP 192.100.100.85:8057 0.0.0.0:0 LISTENING 1768
TCP 192.100.100.85:8057 192.100.100.83:56612 ESTABLISHED 1768
TCP 192.100.100.85:8057 192.100.100.83:56617 ESTABLISHED 1768
TCP 192.100.100.85:8057 192.100.100.83:56618 ESTABLISHED 1768
TCP 192.100.100.85:8057 192.100.100.83:56619 ESTABLISHED 1768
TCP 192.100.100.85:8057 192.100.100.83:56620 ESTABLISHED 1768
TCP 192.100.100.85:8057 192.100.100.83:56628 ESTABLISHED 1768
TCP 192.100.100.85:8057 192.100.100.83:56629 ESTABLISHED 1768
TCP 192.100.100.85:8057 192.100.100.83:56670 ESTABLISHED 1768
TCP 192.100.100.85:57577 192.100.100.146:5357 TIME_WAIT 0
TCP 192.100.100.85:57579 192.100.100.175:5357 TIME_WAIT 0
TCP 192.100.100.85:57583 192.100.100.159:5357 TIME_WAIT 0
TCP 192.100.100.85:57584 192.100.100.147:5357 TIME_WAIT 0
TCP 192.100.100.85:57585 192.100.100.242:3911 TIME_WAIT 0
TCP [::]:80 [::]:0 LISTENING
4
TCP [::]:135 [::]:0 LISTENING
756
TCP [::]:443 [::]:0 LISTENING
4
TCP [::]:445 [::]:0 LISTENING
4
TCP [::]:3389 [::]:0 LISTENING
2804
TCP [::]:4443 [::]:0 LISTENING
4
TCP [::]:47001 [::]:0 LISTENING
4
TCP [::]:49152 [::]:0 LISTENING
468
TCP [::]:49153 [::]:0 LISTENING
844
TCP [::]:49154 [::]:0 LISTENING
896
TCP [::]:49338 [::]:0 LISTENING
1400
TCP [::]:56483 [::]:0 LISTENING
572
TCP [::]:56966 [::]:0 LISTENING
564
TCP [::]:56967 [::]:0 LISTENING
2824
TCP [2002:c064:6454::c064:6454]:4443 [2002:c064:6453::c064:6453]:54033 ESTABLISHED 4
TCP [2002:c064:6454::c064:6454]:57581 [2002:c064:64ab::c064:64ab]:445 ESTABLISHED 4
TCP [2002:c064:6454::c064:6454]:59957 [2002:c064:640c::c064:640c]:445 ESTABLISHED 4
UDP 0.0.0.0:123 *:*
948
UDP 0.0.0.0:500 *:*
896
UDP 0.0.0.0:1434 *:*
1976
UDP 0.0.0.0:4500 *:*
896
UDP 0.0.0.0:5355 *:*
140
UDP 127.0.0.1:51664 *:*
1172
UDP 127.0.0.1:56155 *:*
2924
UDP 127.0.0.1:59005 *:*
964
UDP 127.0.0.1:62503 *:*
1680
UDP 127.0.0.1:62786 *:*
572
UDP 127.0.0.1:62788 *:*
140
UDP 127.0.0.1:64531 *:*
896
UDP 127.0.0.1:65160 *:*
1844
UDP 192.100.100.84:137 *:*
4
UDP 192.100.100.84:138 *:*
4
UDP [::]:123 *:*
948
UDP [::]:500 *:*
896
UDP [::]:1434 *:*
1976
UDP [::]:4500 *:*
896
UDP [::]:5355 *:*
140 -
Any reason not to put Lync Edge server on the same server that runs Web Application Proxy?
We're currently running Lync 2010 standard server, without an edge server or reverse proxy. I'm working on migrating to lync 2013 standard server, and would like to add the edge functionality in the process. I have a Server 2012R2 in the dmz,
with the web application proxy role installed. I plan to use that to publish the lync web services. Is there any reason I shouldn't install the lync edge server on the same computer?It just won't work well as everything will want to bind to port 443 (the reverse proxy and the edge services as well). On top of all that, it's just not supported. A new virtual server will save you hours upon hours of frustration and leave you
with a supported configuration.
Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question please click "Mark As Answer".
SWC Unified Communications -
Can't assign certificate in Lync Edge Server
Hello, everyone
I've installed Lync Server, internally it works fine, but while i'm deploying edge server, i have a certificate problem. On request assign certificate step, I've issued by online certificate authority, after request i see following error:
The certificate has been issued by the online certification authority and is installed to the local certificate store, however it is not valid. Make sure that the Root certificate, and necessary certificate chain is installed on this server.
I've downloaded root certificate from CA and imported to trusted root certificate of edge server. I think root certificate is valid, because non domain members which imported root certificate, sign in Lync successfully.
I also sent offline certificate request (http://technet.microsoft.com/en-us/library/gg412750.aspx), importing certificate was successful. But there are no certificates in assign
certificate wizard. I checked personal certificates using mmc, there were certificates i have requested.
How can I solve this problem? Please help me!
Regards and thanks for any help :)
EnkheeHi,
You need to access htt://CAserver/certsrv to download the certificate chain in the edge server. Open MMC and install the Certificate chain with the following steps(To import the CA certification chain for the internal interface ):
http://technet.microsoft.com/en-us/library/gg412750.aspx
Check whether the Certificate chain is installed successfully in the
Trusted Root Certification Authorities.
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. -
Edge 2013 External Wildcard Certificate
Hi,
I know this has been covered a number of times but I'd like something that's been posted more recently.
We use Lync 2013 with a wildcard certificate on our edge external interface. Everything works as expected and that's on version 5.0.8308.556
I've recently deployed Lync 2013 at a customer site and when applying the certificate I'm unable to sign on externally or contact federated partners. They're running 5.0.8308.577
When testing from Lync connectivity tester I get the following:
Attempting to resolve the host name blah.co.uk in DNS.
The host name resolved successfully.
Additional Details
Testing TCP port 443 on host blah.co.uk to ensure it's listening and open.
The port was opened successfully.
Additional Details
Testing the SSL certificate to make sure it's valid.
The certificate passed all validation requirements.
Additional Details
Elapsed Time: 758 ms.
Test Steps
The Microsoft Connectivity Analyzer is attempting to obtain the SSL certificate from remote server blah.co.uk on port 443.
The Microsoft Connectivity Analyzer successfully obtained the remote SSL certificate.
Additional Details
Validating the certificate name.
The certificate name was validated successfully.
Additional Details
Certificate trust is being validated.
The certificate is trusted and all certificates are present in the chain.
Test Steps
The Microsoft Connectivity Analyzer is attempting to build certificate chains for certificate CN=*.blah.co.uk, OU=Domain Control Validated.
One or more certificate chains were constructed successfully.
Additional Details
Analyzing the certificate chains for compatibility problems with versions of Windows.
Potential compatibility problems were identified with some versions of Windows.
Additional Details
The Microsoft Connectivity Analyzer can only validate the certificate chain using the Root Certificate Update functionality from Windows Update. Your certificate may not be trusted on Windows if the "Update Root Certificates" feature isn't enabled.
Elapsed Time: 4 ms.
Testing the certificate date to confirm the certificate is valid.
Date validation passed. The certificate hasn't expired.
Additional Details
The certificate is valid. NotBefore = 10/25/2013 2:46:03 PM, NotAfter = 10/25/2016 1:42:28 PM
Elapsed Time: 0 ms.
Testing remote connectivity for user [email protected] to the Microsoft Lync server.
Specified remote connectivity test(s) to Microsoft Lync server failed. See details below for specific failure reasons.
<label for="testSelectWizard_ctl12_ctl06_ctl03_tmmArrow">Tell
me more about this issue and how to resolve it</label>
Additional Details
Couldn't sign in. Error: Error Message: Unknown error (0x80131500).
Error Type: TlsFailureException.
Elapsed Time: 1649 ms.
Any help would be much appreciated!
ThanksHi,
Wildcard certificate doesn’t support for Edge server (both external and internal interface). It is supported to use a public certificate for Edge external interface, for Edge internal interface typically use a private certificate issued by an internal certification
authority.
More details about certificate requirements for external user access:
http://technet.microsoft.com/en-us/library/gg398920.aspx
You can refer to the link below of “Wildcard Certificate Support”:
http://technet.microsoft.com/en-us/library/hh202161.aspx
Here is a similar case my help you:
http://social.technet.microsoft.com/Forums/lync/en-US/6bd237eb-2e96-437b-b559-54cf95230417/lync-server-2013-edge-unknown-error-0x80131500-tlsfailureexception?forum=lyncdeploy
Best Regards,
Eason Huang
Eason Huang
TechNet Community Support
Maybe you are looking for
-
Short dump while displaying cube data in production
Hi Folks, I'm getting a short dump while displaying cube data in production, please suggest Thanks and Regards Santhosh
-
Preventing empty rows in address formats
Hallo everyone! I'd like to know if there is a method to prevent SBO2005A from printing empty rows in the address fields when for instance there is missing county in BP addresses like this: I have defined an address format that goes Block County Stre
-
ListFiles in Applet but on the server-site
Hi, does anyone knows how to get a list of files in Applet which are in folder on the server, where the applet is stored? Thank you KarFil
-
HP EVA6000 with Oracle Databases
Hi Everybody, Does anybody work with HP EVA6000 and Oracle Databases on RHEL? We have the following situation (everything is 64bits): 1) Oracle 9i Database 9.2.0.7 on RHEL4 U2 using 4 local disks RAID 0 (15000rpm each). With the following results: -
-
Reload an infocube from an ODS with erroneous information
Hi: I have an Infocube that is update from an ODS. My problem consists in the R/3 system from LO, they put an invalid string. It pass without a problem from R/3 to the ODS. But when it makes the request to load the infocube it displays red light beca